aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/acl
AgeCommit message (Collapse)AuthorFilesLines
2018-10-23c11 safe string handling supportDave Barach4-61/+61
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-20acl-plugin: use the L2 feature arc infrastructure instead of L2 classifier ↵Andrew Yourtchenko3-699/+304
for plumbing This makes ACL plugin use the new feature arcs, which slightly increases performance. Since for ethertype whitelisting we were using the L2 classifier, to retain the functionality, make a simple node doing that, and plug it into non-ip L2 feature arc whenever needed. Change-Id: I3add377a6c790117dd3fd056e5615cb4c4438cf4 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-19vppinfra: add atomic macros for __sync builtinsSirshak Das1-3/+3
This is first part of addition of atomic macros with only macros for __sync builtins. - Based on earlier patch by Damjan (https://gerrit.fd.io/r/#/c/10729/) Additionally - clib_atomic_release macro added and used in the absence of any memory barrier. - clib_atomic_bool_cmp_and_swap added Change-Id: Ie4e48c1e184a652018d1d0d87c4be80ddd180a3b Original-patch-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Sirshak Das <sirshak.das@arm.com> Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com> Reviewed-by: Ola Liljedahl <ola.liljedahl@arm.com> Reviewed-by: Steve Capper <steve.capper@arm.com>
2018-10-17acl-plugin: tuplemerge: refresh the pointer to hash-readied ACL entries per ↵Andrew Yourtchenko1-0/+2
each collision in split_partition() (VPP-1458) A pointer to hash-ready ACL rules is only set once, which might cause a crash if there are colliding entries from more than one ACL applied. Solution: reload the pointer based on the element being processed. Change-Id: I7a701c2c3b4236d67293159f2a33c4f967168953 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 84112dd4f98e5a31a8c7340a741f89e77fd03363)
2018-10-10acl-plugin: reduce the syslog level for debug messagesAndrew Yourtchenko1-5/+6
Change-Id: Ie8380cb39424548bf64cb19aee59ec20e29d1e39 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-04acl-plugin: tuplemerge: avoid batch-resize of the applied entries vector - ↵Andrew Yourtchenko1-2/+6
VPP-1352 If the number of rules within a given partition exceeds the limit, the split_partition() might get called, in which we calculate the relaxed mask, create a new partition with that mask and attempt to reallocate some entries from the overcrowded partition. The non-TM code was pre-expanding the vector with rules by the number of rules in the new ACL being applied - which caused the split_partition() to iterate over the rules filled with zeroes. Most of the time it is benign, but if a newly created relaxed partition is such that these entries can be "relocated", then the code attempts to do so, which does not end well. Change-Id: I2dbf3ccd29ff97277b21cdb11c4424ff0915c3b7 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-26acl-plugin: fix the stateful ICMP handling and add testcasesAndrew Yourtchenko1-39/+40
The stateful ICMP/ICMPv6 handling got broken. Fix that and introduce testcases to catch in the future. Change-Id: Ie602e72d6ac613d64ab0bf6693b6d75afb1a9552 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-25acl-plugin: optimize session idle timer checksAndrew Yourtchenko5-32/+93
This commit adds explicit signaling from a non-owning thread to the owning thread to restart the session timer as necessary. Consequently, we now can sweep the session lists at their respective timeouts, rather than sweeping all the lists at the pace of the shortest timeout value, just taking care to wake up if the session requeue to a different list results in needing to wake up earlier. Change-Id: Ifc8c500f6988748f4cd3dc184dd7824321aaaaca Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra9-14/+14
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-09-14acl-plugin: do not do clib_smp_atomic_add on per-worker countersAndrew Yourtchenko1-2/+2
Just do a regular increment, since we are not contending for these counters. This also makes the tests pass on ARM ThunderX (VPP-1395). Change-Id: I333aaa11d4145d13d322868900bc114df85a020d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-06acl-plugin: VPP-1400: fix crash when removing a session entryAndrew Yourtchenko1-0/+2
bihash deletion operation may in turn do underlying memory operations, so ensure it is using the correct (private) heap. Change-Id: Ibef7ad7f9db6fa83da02316bf7509072ce579bc0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit f74b4d2b559b1d5697fd625d9c8e0f76ba5a4463)
2018-09-05acl-plugin: VPP-1400: VPP may crash when performing ACL modifications on ↵Andrew Yourtchenko2-61/+91
applied ACLs The partition_split() did not increment the refcount when using a mask type index, thus subsequent modifications potentially resulted in double frees and in the best case immediate crash, in the worst case delayed crash in another place. Introduce the lock_mask_type_index() and call it, move the mask type index related functions closer to the top of the file. Make the assignment of the new mask type indices for the tuplemerge case to use the assign_mask_type_index(). Keep some debugs in case we need to investigate this further at some point. Change-Id: Iae370f5cd92e1fe1442480db34656a8a3442dbc0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 1edc406da3d4f6e63de2f278360b5753f55c00df)
2018-09-03acl-plugin: fix the memory leak with colliding entries storageAndrew Yourtchenko1-4/+73
Change-Id: I634971f6376a7ea49de718ade9139e67eeed48e5 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit d039281e11cfc4580fe140e72390c1c48688c722)
2018-08-27cmake: Fix plugins .h includesMohsin Kazmi1-0/+5
Change-Id: I90600d000afb02e8969f3c01bcf9e4b5c10a7d39 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2018-08-27cmake: add missing vat pluginsDamjan Marion1-0/+3
Change-Id: Ib61f0299c17c0f021408ab0a44c5b54f55f8a8ec Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-25cmake: improve add_vpp_plugin macroDamjan Marion1-2/+5
Change-Id: Iffd5c45ab242a919592a1f686f7f880936b68a1a Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-17CMake as an alternative to autotools (experimental)Damjan Marion1-0/+21
Change-Id: Ibc59323e849810531dd0963e85493efad3b86857 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-13Multiarch handling in different constructor macrosDamjan Marion1-4/+3
This significantly reduces need for ... in multiarch code. Simply constructor macros will jost create static unused entry if CLIB_MARCH_VARIANT is defined and that will be optimized out by compiler. Change-Id: I17d1c4ac0c903adcfadaa4a07de1b854c7ab14ac Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-09acl-plugin: fix failures in some of IPv4 test-debug testcasesAndrew Yourtchenko1-4/+4
Commit 1c7bf5d41737984907e8bad1dc832eb6cb1d6288 added the poisoning of the newly freed memory in debug builds, exposing a logic error in mask assignment code - it passed a pointer to within a pool to a function which might potentially expand the pool. This resulted in a failure of the test in the debug version. Fix that by making a local copy of the value before passing a pointer to it. Change-Id: I73f3670672c3d86778aad0f944d052d0480cc593 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-08-03acl-plugin: fill in the 5tuple structure all at once, avoid short writesAndrew Yourtchenko1-5/+3
This change avoids the long-read-after-short-write, resulting in a small performance improvement. Change-Id: Ic01d1fd19182e96100ccaf441d7ab5e5898b9734 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-07-31acl-plugin: move the acl epoch calculation into inline functionAndrew Yourtchenko1-7/+15
Change-Id: Ifc8b3d30d66c7ade1e3584844ce3f82d42d2fb94 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-07-23fix vector index range checksEyal Bari2-10/+5
Change-Id: I63c36644c9d93f2c3ec6606ca0205b407499de4e Signed-off-by: Eyal Bari <ebari@cisco.com>
2018-07-19Remove unused argument to vlib_feature_nextDamjan Marion1-1/+1
Change-Id: Ieb8b53977fc8484c19780941e232ee072b667de3 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-18Add config option to use dlmalloc instead of mheapDave Barach2-7/+17
Configure w/ --enable-dlmalloc, see .../build-data/platforms/vpp.mk src/vppinfra/dlmalloc.[ch] are slightly modified versions of the well-known Doug Lea malloc. Main advantage: dlmalloc mspaces have no inherent size limit. Change-Id: I19b3f43f3c65bcfb82c1a265a97922d01912446e Signed-off-by: Dave Barach <dave@barachs.net>
2018-07-16acl-plugin: fix coverity errors 186574,186575,186576,186577,183451Andrew Yourtchenko1-20/+1
Fix the copypaste-triggered errors in load-from-file ACL test code. Also, add an explicit exit(1) after clib_error() to convince coverity that code path is terminal indeed. Change-Id: I1deedb49144559c9183449005ada0433c24db18a Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-27acl: fix for loop initial declarationFlorin Coras1-1/+2
Change-Id: Ie899ccbaae4df7cce4ebbba47ed6c3cce5269bdb Signed-off-by: Florin Coras <fcoras@cisco.com>
2018-06-27acl-plugin: tm: avoid hash calculation dependency on a memory store operationAndrew Yourtchenko1-1/+9
A small store into a middle of a larger structure that was subsequently loaded for calculating the bihash key was noticeably impacting the performance. Change-Id: If7f33e1b66e8b438ba7cc91abc0ca749850c6e45 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-27acl-plugin: tm: add tuplemerge algorithm for relaxing the hashtable masksAndrew Yourtchenko3-5/+625
Slightly refactored from the initial implementation of the TupleMerge [1] algorithm by Valerio Bruschi (valerio.bruschi@telecom-paristech.fr) [1] James Daly, Eric Torng "TupleMerge: Building Online Packet Classifiers by Omitting Bits", In Proc. IEEE ICCCN 2017, pp. 1-10 Also add startup parameters to turn on/off the algorithm ("use tuple merge 1/0"), and a startup parameter to be able to tweak the split threshold ("tuple merge split threshold N"), the default value of the split threshold is 39 as per paper, but some more tuning might be necessary to find the best value. This change, alongside with the optimizations which avoid extra lookups, significantly reduces the slowdown on the ClassBench generated ACLs, which are supposed to resemble realistic ACLs seen in use in the field. Change-Id: I9713e4673970e9a62d4d9e9718365293375fab7b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-26acl-plugin: tm: optimize multi-lookups and prepare to add tuplemergeAndrew Yourtchenko6-252/+456
- instantiate the per-use mask type entry for a given hash ACE this prepares to adding tuplemerge where the applied ACE may have a different mask type due to relaxing of the tuples - store the vector of the colliding rules for linear lookups rather than traversing the linked list. - store the lowest rule index for a given mask type inside the structure. This allows to skip looking up at the later mask types if we already matched an entry that is in front of the very first entry in the new candidate mask type, thus saving a worthless hash table lookup. - use a vector of mask type indices rather than bitmap, in the sorted order (by construction) of ascending lowest rule index - this allows to terminate the lookups early. - adapt the debug cli outputs accordingly to show the data - propagate the is_ip6 into the inner calls Change-Id: I7a67b271e66785c6eab738b632b432d5886a0a8a Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-25acl-plugin: remove the noisy debug outputAndrew Yourtchenko1-1/+1
Change-Id: I6a3cfcb24f5027ec0f2cd2ec21ea47a01fef331b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-21acl-plugin: fallback to linear ACL search for fragmentsAndrew Yourtchenko2-38/+34
Trying to accomodate fragments as first class citizens has shown to be more trouble than it's worth. So fallback to linear ACL search in case it is a fragment packet. Delete the corresponding code from the hash matching. Change-Id: Ic9ecc7c800d575615addb33dcaa89621462e9c7b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-20acl-plugin: acl-as-a-service: VPP-1248: fix the error if exports.h included ↵Andrew Yourtchenko8-194/+198
in more than one C file Including the exports.h from multiple .c files belonging to a single plugin results in an error. Rework the approach to require the table of function pointers to be filled in by the initialization function. Since the inline functions are compiled in the "caller" context, there is no knowledge about the acl_main structure used by the ACL plugin. To help with that, the signature of inline functions is slightly different, taking the p_acl_main pointer as the first parameter. That pointer is filled into the .p_acl_main field of the method table during the initialization - since the calling of non-inline variants would have required filling the method table, this should give minimal headaches during the use and switch between the two methods. Change-Id: Icb70695efa23579c46c716944838766cebc8573e Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-17acl-plugin: fix the high cpu usage caused by the connection cleanerAndrew Yourtchenko1-1/+2
The commit 4bc1796b346efd10f3fb19b176ff089179263a24 had incorrect calculation of the session lists minimal timeout, resulting in returned value of 0 which resulted in existing sessions constantly requeued, taking up the CPU. Fix this calculation. Change-Id: I9a789739f96a1f01522c68f91b0a02db2417837f Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-17acl-plugin: split (L3) and (L4/pkt) logic of creation of 5tuple structure, ↵Andrew Yourtchenko1-46/+70
optimize stores in the (l4/pkt) Having two pieces of code - one for now much simpler to recreate L3 info, one for a more difficult do build L4/pkt metadata allows more degrees of freedom for optimizations. Also, construct the metadata in local variables first before saving it into the memory structure, this fewer memory stores and they are better aligned, allowing to coalesce with subsequent reads if needed. Change-Id: Icb35d933834b14294f875362c9b58db3feb38d99 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-14acl-plugin: VAT: add an option to load entire ACL from a ClassBench ruleset ↵Andrew Yourtchenko1-0/+190
file for testing Add a command "acl_add_replace_from_file" to VAT which can load a ruleset and add an ACL with it. There are a few options which augment the ACL being created: "permit+reflect" or "permit" alter the default action from deny on the ACEs created. "append-default-permit" adds an entry in the end with the "permit+reflect" if the default action has been changed to permit+reflect, or with a simple permit otherwise. This command is IPv4-only because the available datasets were IPv4-only. Change-Id: I26b9f33ecb6b59e051d1d9cbafedbc47e8203392 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-14acl-plugin: use 16_8 bihash for IPv4 sessions and 40_8 bihash for IPv6 sessionsAndrew Yourtchenko7-84/+165
Add a new kv_16_8 field into 5tuple union, rename the existing kv into kv_40_8 for clarity, and add the compile-time alignment constraints. Change-Id: I9bfca91f34850a5c89cba590fbfe9b865e63ef94 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-13acl-plugin: change the src/dst L3 info in 5tuple struct to be always ↵Andrew Yourtchenko6-97/+156
contiguous with L4 data Using ip46_address_t was convenient from operational point of view but created some difficulties dealing with IPv4 addresses - the extra 3x of u32 padding are costly, and the "holes" mean we can not use the smaller key-value data structures for the lookup. This commit changes the 5tuple layout for the IPv4 case, such that the src/dst addresses directly precede the L4 information. That will allow to treat the same data within 40x8 key-value structure as a 16x8 key-value structure starting with 24 byte offset. Change-Id: Ifea8d266ca0b9c931d44440bf6dc62446c1a83ec Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-02acl-plugin: multicore: session management fixesAndrew Yourtchenko6-151/+332
- implement a 1us purgatory for the session structures by adding a special connection list, where all connections about to be deleted go. - add per-list-head timeouts updated upon the list enqueue/dequeue for connection idle management - add a "unused" session list with list ID#0, which should never be used unless there is a logic error. Use this ID to initialize the sessions. - improve the maintainability of the session linked list structures by using symbolic bogus index name instead of ~0 - change the ordering of session creations - first reverse, then local. To minimize the potential for two workers competing for the same session in the corner case of the two packets on different workers creating the same logical session - reduce the maximum session count to keep the memory usage the same - add extra log/debug/trace to session cleaning logic - be more aggressive with cleaning up sessions - wind up the interrupts from the workers to themselves if there is more work to do Change-Id: I3aa1c91a925a08e83793467cb15bda178c21e426 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-05-29Add VLIB_NODE_FN() macro to simplify multiversioning of node functionsDamjan Marion1-117/+25
Change-Id: Ibab5e27277f618ceb2d543b9d6a1a5f191e7d1db Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-05-28acl-plugin: move to per-frame buffer pointer calculations and enqueue to ↵Andrew Yourtchenko1-208/+191
next nodes Use the new frame-at-once functions vlib_get_buffers() and vlib_buffer_enqueue_to_next() to calculate the buffer pointers and to dispatch the packets after the processing. This simplifies the dataplane node processing loop. Change-Id: I454308f847aac76a199f8dd7490c1e176414bde7 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-05-27acl-plugin: use clib_bihash_search_inline_2_40_8 rather than ↵Andrew Yourtchenko2-5/+3
clib_bihash_search_40_8 for session lookups Use inline version rather than calling the function, this gives slightly better performance. The straighforward diff uncovered an interesting problem: the stateful ACL IPv4 unit tests would fail for the "make test" but succeed in "make test-debug". Also, they would succeed even in "make test", if before calling the clib_bihash_search_inline_2_40_8 we would change the code to store the key in a temporary variable. Debugging revealed that the generated optimized code is not what one would expect: the zeroing of the u64s overlaying the memcpy into ipv4 value of ip46_address_t made the optimizer not notice the latter, and think that those fields should be always zero in the bihash, thus generating incorrect assembly for the bihash key comparison for the ipv4 nodes. Changing the zeroing to be non-overlapping by zeroing only the pad fields resulted in the optimizer generating the correct code and the tests pass. Change-Id: Ib0f55cef2b5fe70c931d17ca4dc32a5755d160cd Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-05-26acl-plugin: create forward and return sessions in lieu of making a special ↵Andrew Yourtchenko5-121/+156
per-packet session key Using a separate session key has proven to be tricky for the following reasons: - it's a lot of storage to have what looks to be nearly identical to 5tuple, just maybe with some fields swapped - shuffling the fields from 5tuple adds to memory pressure - the fact that the fields do not coincide with the packet memory means for any staged processing we need to use up a lot of memory Thus, just add two entries into the bihash table pointing to the same session entry, so we could match the packets from either direction. With this we have the key layout of L3 info (which takes up the majority of space for IPv6 case) the same as in the packet, thus, opening up the possibility for other optimizations. Not having to create and store a separate session key should also give us a small performance win in itself. Also, add the routine to show the session bihash in a better way than a bunch of numbers. Alas, the memory usage in the bihash obviously doubles. Change-Id: I8fd2ed4714ad7fc447c4fa224d209bc0b736b371 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-05-22acl-plugin: refactor to introduce multiarch dataplane functionsAndrew Yourtchenko5-1614/+1997
This commit splits the functions from fa_node.c into the pure dataplane node functions (which are multiarch-compiled), session management node functions (which are compiled only once), and session find/add/delete functions which are split out into the inlines. As part of the refactoring: - get rid of BV() macros in the affected chunk of code, rather use the explicit bihash function names. - add the magic trailer to the new files to ensure make checkstyle watches them. - move the bihash_template.c include for 40_8 bihash into acl.c Change-Id: I4d781e9ec4307ea84e92af93c09470ea2bd0c375 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-05-04Harmonize vec/pool_get_aligned object sizes and alignment requestsDave Barach1-0/+6
Object sizes must evenly divide alignment requests, or vice versa. Otherwise, only the first object will be aligned as requested. Three choices: add CLIB_CACHE_LINE_ALIGN_MARK(align_me) at the end of structures, manually pad to an even divisor or multiple of the alignment request, or use plain vectors/pools. static assert for enforcement. Change-Id: I41aa6ff1a58267301d32aaf4b9cd24678ac1c147 Signed-off-by: Dave Barach <dbarach@cisco.com>
2018-04-17acl-plugin: VPP-1241: fix the "show acl-plugin tables applied" outputAndrew Yourtchenko2-45/+20
It is a relatively rarely used low level command for code that didn't change, but due to infra changes it did not survive. Having it working may be very useful for corner-case debugging. So, fix it for working with the acl-as-a-service infra. Change-Id: I11b60e0c78591cc340b043ec240f0311ea1eb2f9 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 18bde8a579960aa46f43ffbe5c2905774bd81a35)
2018-04-13acl-plugin: VPP-1239: acl-as-a-service does not match IPv6 packets, works ↵Andrew Yourtchenko2-4/+5
only in lookup context 0 In process of extracting the matching out of the ACL plugin internals, a couple of pieces setting the miscellaneout fields in the 5tuple structure did not make it, so they are initialized to zeroes. Move the assignments to the right place to make both traffic acls and acl-as-a-service working. Change-Id: I66a7540a13b05113b599f0541999a18fad60385d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit d3b96ef0d75889f09dc51efb89e5123cdbe7ffe8)
2018-04-12Fixes for 'make UNATTENDED=yes CC=clang CXX=clang verify'Neale Ranns1-1/+0
Change-Id: I994649761fe2e66e12ae0e49a84fb1d0a966ddfb Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-04-11acl-plugin: VPP-1231: add error checking to acl_plugin_set_acl_vec_for_contextAndrew Yourtchenko1-1/+26
The users of ACL lookup contexts might not check the data they supply, so do it on their behalf in this function, and return an error if an ACL does not exist or if they attempt to apply the same ACL twice. Change-Id: I89d871e60f267ce643f88574c83baf9cd0a2d7b3 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit e5cbccf35f4d230afafa633abbc88e64ef33d758)
2018-04-11acl-plugin: VPP-1230: fix the "undefined symbol" error for acl_main when ↵Andrew Yourtchenko3-9/+31
using the inline functions The acl_main struct, which is defined in the acl_plugin, is not visible when the ACL plugin inline code is being compiled within the context of other plugins. Fix that by using the global pointer variable, which exists in both the ACL plugin context and is set in the context of the external plugins using ACL plugin. Change-Id: Iaa74dd8cf36ff5442a06a25c5c968722116bddf8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 1286a15a6e60f80b0e1b349f876de8fa38c71368)
2018-03-30acl-plugin: implement an optional session reclassification when ACL is ↵Andrew Yourtchenko4-10/+128
(re-)applied There were several discussions in which users would expect the sessions to be deleted if the new policy after the change does not permit them. There is no right or wrong answer to this question - it is a policy decision. This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to an interface, this counter increments. The newly created connections inherit the current policy epoch in a given direction. Likewise, this counter increments if anyone updates an ACL applied to an interface. There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]" (with default being 0) which allows to enable the checking of the existing sessions against the current policy epoch in a given direction. The session is not verified unless there is traffic hitting that session *in the direction of the policy creation* - if the epoch has changed, the session is deleted and within the same processing cycle is evaluated against the ACL rule base and recreated - thus, it should allow traffic-driven session state refresh without affecting the connectivity for the existing sessions. If the packet is coming in the direction opposite to which the session was initially created, the state adjustment is never done, because doing so generically is not really possible without diving too deep into the special cases, which may or may not work. Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>